5 years ago we started to get worried about the strength of the OpenPGP keys. In May 2009 I stated in a mail to d-d-a[0] that as a project we should be making an orderly move towards stronger keys but not at the expense of our Web of Trust.

In September 2009 I reminded[1] people to ensure they're new keys had a reasonable number of signatures before requesting replacement.

On October 1st 2010 we stopped[2] accepting new keys that were smaller than 2048 bits to the Debian keyrings.

This year, in March[3], we stated that while we were not yet doing a mass removal we were aggressively deprecating the use of 1024 bit keys.

Earlier this week I sent emails directly to the 650+ Debian Developers and Debian Maintainers who still have keys less than 2048 bits in our keyrings. This informed them that their key will be removed from the relevant keyring at the end of the year (31st December 2014).

I am pleased to report that we have already seen 40+ requests for replacement submitted to RT as a result, and expect to see more during the weeks after DebConf. I would ask that DDs make some effort to help those with weak keys get their new, stronger keys signed. Please sign responsibly[4], this is an opportunity for us to improve our web of trust.